Don't Hug These Internet-Connected Stuffed Toys

Spiral Toys, which manufacturers the CloudPets range of Bluetooth-enabled "smart toys," is under privacy fire for exposing 821,000 user records online, as well as links to 2.2 million parent and child voice recordings captured by its interactive toys and related apps.

Copies of the data are in wide circulation and appear to be the focus of multiple attempted ransom shakedowns, says Australian developer and Have I Been Pwned administrator Troy Hunt, who says that he and other researchers have verified that the exposed data is legitimate.

"The data is now in the wild."

On Feb. 28, Harold Chizick, a spokesman for Agoura Hills, Calif.-based Spiral Toys, said in an emailed statement to Information Security Media Group that "Spiral Toys was notified about a potential breach on Feb. 22 and took immediate and swift action to protect the privacy of our customers" by requiring all users to change their passwords. But information published by security experts appears to contradict that timeline, say that they have received no password-change alerts, and suggests that further flaws have not yet been addressed (see Yes, Unicorns With Bluetooth Problems Really Do Exist).

Ransom demands: Attackers downloaded and then deleted some of these MongoDB databases - including one containing 821,000 user records - and left at least three different ransom notices for Spiral Toys.

Links: "The MongoDB contains references to both profile pictures and voice records which are stored in Amazon S3" - Simple Storage Service - Hunt says, and accessing the linked recordings is not protected by user authentication. Hunt has posted a sample sound file using a CloudPets toy to demonstrate what attackers might be able to recover. He says links to all of the data stored on Amazon S3 were contained in the exposed MongoDB databases.

Passwords: While Spiral Toys stored passwords using the bcrypt password-hashing algorithm, which is good, it failed to enforce any password rules, as demonstrated in this YouTube video. As a result, short - such as "qwe" - or overused passwords could be picked, meaning that many passwords could be easily cracked.

Bug reporting: Spiral Toys maintained no channel for security researchers to report flaws in its products and could not be reached despite multiple attempts from different researchers, including a Dec. 31, 2016, trouble ticket logged in its ZenDesk system by Dutch security researcher Victor Gevers.

Warnings, Then Ransom Demand

Motherboard says that independent of Hunt, on Dec. 30, 2016, it received a tip-off that poorly secured CloudPets data was being stored online. "I want to inform you that 45.79.147.159 is running a MongoDB instance which appears not to be correctly configured or protected by a firewall allowing connections via port 2701," according to a message it received.

Hunt says that he and other security experts have been attempting to alert Spiral Toys to the security problems. Gevers, for one, attempted to warn Spiral Toys multiple times beginning in late December 2016, but says he couldn't make contact.

@CloudPets Hi! I want to report a securtity issue but support@cloudpets.com & info@spiraltoys.com are not functional: Recipient not found.

Norway-based Irish security researcher Niall Merrigan charted a number of MongoDB ransom demands - all apparently part of the same campaign - beginning in January that include one or more stolen CloudPets databases. One of the related ransom notices reads: "You DB is backed up on our servers, send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your ip address to email:kraken0@india.com."

The breach is a reminder that too many organizations fail to provide a dedicated hotline for bug hunters. "I've said many times before in many blog posts, public talks and workshops that one of the greatest difficulties I have in dealing with data breaches is getting a response from the organization involved," Hunt says.

No One Home?

Wiggy, a cloud-connected piggy bank.

The failure to raise anyone at Spiral Toys may be due to its stock price now being worth less than one cent. The value of the company's stock - listed on the Over-The-Counter Bulletin Board, which is regulated by the Financial Industry Regulatory Authority - has been in decline since late 2015. Potential salvation in the form of a an internet-connected "smart piggybank" named Wiggy that the company brought to market in November 2016 has so far failed to materialize.

As of January 1, the state requires public notification for breaches affecting 500 or more residents even when encrypted data gets leaked if security credentials or encryption keys that could unlock the data were also exposed.

Creepy Smart Toy Redux

When it comes to smart toys - and many manufacturers' apparent disregard for kids' privacy - we've seen all of this before.

In 2015, for example, Hong Kong toymaker VTech was hacked and data on 200,000 kids exposed.

The same year, I detailed how Mattel's $75 internet-connected Hello Barbie that could listen to children's conversations and respond to them triggered privacy and creepiness warnings from experts.

Also in 2015, Ken Munro, a partner at U.K.-based penetration testing firm Pen Test Partners, showed how the $60 Cayla doll, which can be paired with a smartphone, and a dedicated app used to process what's said to the doll, could be locally hacked.

Germany Bans Cayla

Now, some regulators are taking action. Earlier this month, the Bundesnetzagentur - Germany's telecommunications watchdog - banned the Cayla doll on privacy grounds, because it surreptitiously records local conversations and transmits them to a web service. The doll was introduced in 2014.

"Any toy that is capable of transmitting signals and that can be used to record images or sound without detection is banned in Germany," according to the Bundesnetzagentur. It also found that the toy's wireless connection was poorly secured, leaving it at risk of local eavesdropping. Genesis Toys, which manufactures, Cayla, couldn't be immediately reached for comment on those allegations.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.